Enterprise Authenticator Installation Patterns

We introduce various implementation patterns for using enterprise authenticators.

By using enterprise authenticators, you can restrict the authenticators that end users can use. There are several configuration options for determining the scope of these restrictions.
Please configure the settings according to your operational requirements.

Restricting the Authenticator Used by End Users for PC Login

When the administrator wants to pre-assign authenticators to end users and prevent them from registering any other authenticators:

  1. [Administrator] Enable the Enterprise Authenticator feature
    • Change the Enterprise Authenticator Management feature to “Enabled”.
    • Set Local (Domain) Account Device Logon Authenticator Registration Restriction to “Only enterprise authenticators assigned to the account can be registered”.
  2. [Administrator] Assign accounts and authenticators
  3. [Administrator] Distribute the assigned authenticators to end users.
  4. [User] Register the assigned authenticator for their account

When the administrator wants to prevent the use of personal authenticators owned by end users, but allow them to register any authenticator provided by the company:

  1. [Administrator] Enable the Enterprise Authenticator feature
    • Change the Enterprise Authenticator Management feature to “Enabled”.
    • Set Local (Domain) Account Device Logon Authenticator Registration Restriction to “Only enterprise authenticators can be registered”.
  2. [Administrator] Distribute any company-provided authenticators to end users.
  3. [User] Register the assigned authenticator for their account

Restricting the Authenticator Used by Administrators for Management Web Login

When administrators log in to the management website, using an authenticator for login can enhance security.
You can restrict the authenticators used for login to enterprise authenticators only.

When the administrator wants to pre-assign authenticators to another administrator and prevent them from registering any other authenticators:

  1. [Administrator] Enable the Enterprise Authenticator feature
    • Change the Enterprise Authenticator Management feature to “Enabled”.
    • Set Administrator Authenticator Registration Restriction to “Only enterprise authenticators assigned to administrators can be registered”.
  2. [Administrator] Assign authenticators to another administrator
  3. [Administrator] Distribute the assigned authenticators to the other administrator.
  4. [Another Administrator] Log in to the management website and register the distributed authenticator

When the administrator wants to prevent the use of personal authenticators owned by another administrator but allow them to register any authenticator provided by the company:

  1. [Administrator] Enable the Enterprise Authenticator feature
    • Change the Enterprise Authenticator Management feature to “Enabled”.
    • Set Administrator Authenticator Registration Restriction to “Only enterprise authenticators can be registered”.
  2. [Administrator] Distribute any company-provided authenticators to the other administrator.
  3. [Another Administrator] Log in to the management website and register the distributed authenticator